UPDATE

All, just wanted to let you know it may be a while between my posts as i’m trying to get my business up and running, Des Moines PC Repair. So I will try to post on a weekly basis but untill things are settled It won’t be to often.

NIck.

DNS Flaw

A major flaw found in the Domain Name System protocol (DNS) allowing an attacker to disrupt the internet was discovered recently by Dan Kaminsky. Due to this discovery CERT as called for vendors to issue patches immediatly. Read this artical at networkworld.com for more information.

Google

I’m sure most of you, like everyone, has used Google or have heard of it before. But what you may not know is that Google can be very help full in finding lots of juicy information. For instance allintitle: “index of/root” may return something like this and that’s just the tip of the iceberg. Check out this txt file that contains several search strings you can try, certain to keep you entertained for a long time. You can also locate the file on the left side of this page under the box.net widget. Have fun, happy searching.

Man in the Middle (MITM) Attacks

A MITM attack is kind of like eavesdropping, the attacker inserts itself between the victims and relays messages between them, at the same time making them believe they are talking directly to each other, It does this using ARP poisoning. There are several programs out there however I prefer Ettercap.

I will give you a brief run-down on how this works and at the end I will link you to a great video showing how it’s done in Ettercap.

Victim IP = 10.2.2.3 MAC: V (for demonstration purposes)
Interceptor = 10.2.2.2 MAC: I
Server = 10.2.2.1 MAC: S

Interceptor sends ARP broadcast to Victim telling it that 10.2.2.1 is at MAC I, and then sends an ARP broadcast to Server telling it that 10.2.2.3 is at MAC I as well. When it comes to communicating, MAC address V will send information to MAC address I thinking it is the server, and MAC address I will forward that information onto MAC address S while capturing the information. With this captured information you can get passwords and other information used to further your penetration testing needs. Enjoy, and as promised here is that video. ARP poisoning with Ettercap

Backtrack 3 Again!!

Well, It appears that most of the viewers want to read about Backtrack 3. Or at least that’s what my stats are telling me. So I’m opening up this post to get some feedback on what you all want to know about it, and I will dig up the information for you. Just leave a comment and I will respond ASAP.

Charter Communications to Scrap Plan With NebuAd

Charter Communications has pulled the plug finally on a plan that automatically targets users with advertising based on there surfing activity. In May, they announced a pilot program with partner NebuAd in which they would use deep packet inspection technology to serve ads based on user’s interests. You can probably guess this drew some unwanted attention form several people, including two key members of Congress: Rep. Ed Markey, a Massachusetts Democrat, and Rep. Joe Barton, a Republican from Texas.

This is obviously a good thing for all of you security conscious folks out there. It acts like this, NebuAd places hardware at the ISP’s head end that records all inbound and outbound traffic to build a profile of the users Internet browsing habits. It uses this information to insert relevant ads into web pages that have signed up to use the NebuAd network.

NebuAd serves up these ads by placing tracking cookies on your machine, and that’s normal for most websites. However the manner in that these cookies are placed is not. Say you visit Google who has no affiliation with NebuAd so would not be serving the NebuAd cookies. Well what NebuAd does is append the cookies to the HTML code served by google. What it does is create a new packet and copies the same IP and port number that the Google server just sent and sends that to the user. In addition, it uses TCP’s ACK and SEQ system to prevent the useres system from rejecting the packet. The packet contains a bit of JavaScript that directs the users browse to a NebuAd related site so that the machine will then download the cookie.

As you can see, it’s essentially ‘forcing’ you to accept the cookie, because if you delete it the process starts over again. This is why the program was frowned upon. It clearly monitors and sells your browsing habits to third party ad agencies, it’s kind of like ad ware, you know the stuff we try to keep OFF the computer.

Feel free to discuss…

Update to Virtual Machine with Backtrack

I just wanted to clarify something on my article Virtual Machine and Backtrack 2. I had mentioned in there that it was best to run it as a Bridged connection, however I want to clarify that if you are going to be running any other penetration testing distros, or any other OS’s along with Backtrack then it’s best to run it under a NAT connection. It’s a simple change really, you can either edit the .VMX file at “ethernet0.connectionType =”, or simply select devices, ethernet, bridged or NAT while VMware Player is running. Just thought I would mention that.
Keep checking back, more posts to come.

Nmap and Information Gathering

There are several steps one needs to take when doing a security audit of any network. One of the first steps is gathering some information, because well lets face it, you can’t hack it without knowing a bit about it first. This brings us to step one of security auditing, Information Gathering.
There are several tools available for gathering information on your target, several of them included on the Backtrack distro. One of my favorites is nmap, you can find that at Insecure.org. There is plenty of documentation provided to help you get started, but let me give you run down of what Nmap is used for.
Nmap is a port scanner that sends raw TCP/IP packets to see what ports are open or closed on a target machine. Ports are numbers that TCP/IP uses to map packets to services, here is a list of common ports:

23 Telnet
80 HTTP
110 POP3
25 SMTP
22 SSH
21 FTP
ets…

Nmap uses TCP flags to find these open/closed ports. The TCP flags are SYN, ACK, RST, FIN, PSH, URG, and sometimes NS, CWR, and ECE. A common connection works kind of like this. Host sends target a SYN (Synchronize) flag, the target responds with the SYN and an ACK (Acknowledgement) flag and then the connection is established and data can be sent. For more information google TCP/IP flags.
Now this ties into Nmap like this, we can use it to send a TCP packet specifying one of these flags. So we can use nmap -sS to send a SYN packet to see if there are any open ports on the target machine. Now keep in mind that different packetswill return different results depending on the targets security. a SYN scan on a stateless firewall may return different reults as apposed to an ACK scan. So I suggest you play around with nmap and get used to all the options it has.
Once you have assessed your target machine, and found any open ports that may be exploitable then go from there. Say the target machine has a port open on 80, this would indicate they may be running a web server. Pull up your web browser and type in http://ipaddress:8080 and see if you can see a web page with any sort of contact information that may be use full in gathering user names, passwords, anything you can exploit use.
Again, there are several programs and documentation out there for you to read and study, read the man pages on some of the tools provided in Backtrack, visit websites, join forums. Do whatever it takes to learn and don’t give up.

de-ice.net and OSSTMM

Sorry it’s been a few days since my last post, still pending the cable company to come out and re-run some lines for me….moving on

I wanted to touch base today on a few things, firstly another pen-test lab setup that I stumbled upon, and then a bit of information to point you in the right direction for pen-testing.

First I want to point you to de-ice.net. It was set up by a professionalpenetration tester to provide resources and materials for penetration testers. On the site you will find a couple of live CD’s configured specifically for penetration testing purposes. They were set up with scenarios ranging in skill level, the first one being the beginner level. You can run this in virtual machines on your PC or load them on separate machines and work with them over your internal network. Directions to load them as virtual machines can be found here. You can also find video walk through, however I urge you to attempt them yourselves before watching the videos. Just remember the CD’s are meant to be the victim machines, so you need to load two, the victim, and your preferred pen-test OS.

Moving on, I wanted to talk about a few resources out there to help you out in getting started with penetration testing. First and for most, GOOGLE, I’m sure a lot of people tell you that however it really is the ultimate resource. If your stuck on something, need help, or just don’t know where to go pop open google and search it.
Okay, now that’s out of the way your probably wondering “what are some things I should know before hacking.” Well, there is a bit of knowledge involved but anyone can learn it. You definitely need to know some networking, not just hardware involved, but also the theory, protocols, implementation, topologies, subnetting, TCP/IP, OSI model, and so on. It’s not to much to take in if you have prior IT experience, just mainly a touch base with this and that. So get yourself a networking book, learn the common ports and protocols, and your well on your way.
Another good read is the OSSTMM, Open-Source Security Testing Methodology Manual. It’s basically a book, a free book, that goes in depth on the Methodology of security testing. If you currently have Backtrack you can find it under documentation, if you don’t hop on over to Google.

That’s all I have for right now as I am typing this up at work. Check back later for more updates, and hopefully I will be able to post at home soon :(.

Types of Hackers

Hack-er
a. a computer enthusiast. 
b. a microcomputer user who attempts to gain unauthorized access to proprietary computer systems. 

That’s how dictionary.com defines it, and it is somewhat true. What it does not explain is that there are different types of hackers, I will do that for you now.

Black Hat:
Okay, your black hat hackers are what Hollywood portrays hackers to be. Malicious, arrogant, and money hungry. The types that will break into a system and crash it or take personal data for self gain. These are the types that YOU don’t want to be because it’s ILLEGAL and immoral.

Gray Hat:
These fellows aren’t so sure what they want, good or bad. They kind of hover in-between cracking systems just to have a look around with the occasional maliciousness. Usually they are harmless, but don’t underestimate them.

White Hat:
The good guys, the ones who attempt to break systems security and then report it to the admin and assist them in fixing it. These are your ethical hackers who are out to do good. This is what YOU should be.

Essentially, hacking is fun but you should never do it for your own self gain.  We are here to help the IT world find and fix there security flaws, not benefit from them. So explore, have fun, and share your secrets but not the victims.